Wednesday, February 27, 2008

There are a couple of conferences this year I’m exceptionally thrilled to be flying out for, one in particular, Hack in the Box Dubai *what? you thought RSA? :)*. I’ve never visited the region though I’ve heard a lot of amazing things. I’ve never attended a HiTB, but many others tell me they rock. For me personally, the best part is I’ve been invited to deliver one of the two conference keynotes. The other is by none other than Bruce Schneier! What an honor. Of course I’m also eager to see some of the top webappsec guys present like Shreeraj Shah and pdp (architect), but also having the opportunity to see talks by experts who don’t make it to the US. I plan to have a amazing time and learning a lot.

I’d like to thank Dhillon Andrew Kannabhiran, Founder/Chief Executive Officer, Hack in The Box for the privilege. And if any of the readers here are attending HiTB, please let me know by emailing and commenting below.

Friday, February 22, 2008

Today I decided to give the recently released Firefox 3 beta 3 a try because it looks like it has some slick new features. Also there seemed to be a rather large emphasis on security and many of us have been waiting patiently to see how and when Mozilla would address JavaScript malware. According to the release notes much of the newly added security features are directed towards Anti-Phishing, Anti-Malware, and more user friendly SSL. Noble pursuits that I’m sure add value, just not what I’m personally into.

Tuesday, February 19, 2008

Update 02.19.2008: Maybe the title should have read, "It pays to be a Ukrainian hacker." Dan Goodin from The Register follows up by laying it out saying, "Prosecutors with the Justice Department are probably free to file criminal charges against Dorozhko for computer hacking. But given his status as a Ukrainian, it's doubtful they'd succeed. And even if they did, it's even less likely they'd recover the proceeds."

According to the nytimes (via /.), some guy (Mr. Dorozhko) hacked his way into IMS Health and obtained some prerelease earnings information. Mr. Dorozhko soon after invests ~$42K in put options betting the stock will dive, which is does when the information is publicly released, and he makes a cool ~$300K. After the SEC investigation is where the story gets REALY interesting.

Mr. Dorozhko gets to keep this cash because according the judge, “"stealing and trading" or "hacking and trading" does not amount to a violation' of securities laws”. Put another way, Mr. Dorozhko was not an “insider” so therefore can’t be charged with “inside trading.” Apparently the way the SEC laws work is that its legal to trade on information illegally obtained, but illegal to trade on information legally obtained. Wrap your mind around that.

Careful all you would be hackers, this is not to say that Mr. Dorozhko won’t be prosecuted on computer crime charges.

From the story it clearly sounds like what Mr. Dorozhko did was illegal, but what if the attack was more subtle in nature? Take Predictable Resource Location (Forced Browsing) a highly effective approach which exploits the behavior of negligent website owners who post files, but don’t necessarily link them in until a particular date/time has passed. A couple years ago something similar happened in another SEC investigation involving Estonian stock traders. With PRS there is no need to circumvent password prompts, agree to any terms of service, or bypass any security systems. You simply ask for a file on the web server, which may contain some juicy market moving data not yet publicly released.

So is obtaining insider information in this way legal? If so, and IANA, then it would seen to be both legal to obtain insider information this way (via PRS) and legal to trade upon it.

Wednesday, February 13, 2008

Posts have been a little slow lately. Mostly that’s because I’ve been traveling around the country and focusing on getting some very cool new stuff out the door here at WhiteHat. However, I still have enough time to keep up on the news and latest chatter so figured why not discuss some of the more entertaining snippets:

1) Mark Potts (CTO of Software, HP) Information Week article offered a real gem when claiming they now have nine out of the world's top 11 security hackers by way of the SPI Dynamics acquisition. Classic statement! I can only imagine how the SPI engineering teams cringed at that one. :) Of course a fewbloggers decided to poke a little fun, I mean who can blame them. Then a fellow co-worker here said tongue in cheek that by the same logic its possible that WhiteHat has 2 of the top 3. ;)

3) Most of us are already aware that the bad guys are hacking “trusted” websites and silently placing malware on them in effort to compromise their visitors Web browsers. This is a highly effect approach and many large name brand name websites have been used as launching pads. However, until I read Dan Goodin's Register article I wasn’t aware just how bad the problem had gotten:

“The findings come as Websense, a separate security firm that's based in San Diego, recently estimated that 51 per cent of websites hosting malicious code over the past six months were legitimate destinations that had been hacked, as opposed to sites specifically set up by criminals. Compromised websites can pose a greater risk because they often come with a degree of trust.”

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!